Salted passwords and password hashing: How do they work?

What is password hashing?

Password hashing is a process in which algorithms turn plaintext passwords into complex strings of numbers and letters, known as ciphertext. If you run a plaintext password (or any word or phrase) through a hashing algorithm, it produces a unique string of characters, sometimes referred to as a hashed value. The length of this hashed password can vary depending on the kind of algorithm that you use to produce it.

The hash may look to an observer like a random collection of numbers and letters, but it is created as a direct response to the plaintext input, so if you put the same text into the algorithm twice, you’ll get the same hash as a result. Here is an example of what a hashing process might look like (in this example, the plaintext password is “xty3l6bqr8”):

Hash (“xty3l6bqr8”) = 4n3920q25699841r05h5hg8h9w33nvlhg39501

A website can store user password hashes instead of plaintext data. When a user tries to log in, the algorithm generates the appropriate password hash. If it matches the hash in the website’s records, the user can access their account. However, if the website’s databases are hacked, all the hackers will get are the hashes, not the passwords themselves.

Unlike encrypted data, hashed data cannot be unhashed; the hashing process is irreversible, thanks to the algorithms used.

Common hashing algorithms

Many different password hashing algorithms, or hash functions, are available. Here are just a few of the most commonly used options:

• Message-digest algorithm 5. The message-digest algorithm 5 (MD5) is a hashing function that produces a 128-bit hash value.
• Secure hash algorithm. The secure hash algorithm (SHA) was a widely used hashing algorithm that could produce 160-bit hash values. The algorithm has been supplanted by the more secure SHA-2 hash function.
• Secure hash algorithm 2. After security issues arose with the SHA hashing function, SHA-2 was developed. This is a broad category or family of hashing functions. Each algorithm in this category has a name reflective of its value length. For example, SHA-256 produces a 256-bit hash value. SHA-2 functions are now the most commonly used hashing algorithms.
• Bcrypt. It’s a hashing function that produces a 192-bite hash value. Bcrypt is a slow-functioning algorithm that takes time to create password hashes and decrypt them, making it less susceptible to dictionary-based cyberattacks.

What is password salting?

Salting a password is a simple process in which a plaintext password is combined with a random collection of numbers and letters.

Let’s imagine that you need to create a password to set up your account on a website. You make your password “xty3l6bqr8,” a suitably random collection of characters, and input it. The website now initiates the salting process, adding a string of new random characters to the original password. For this example, we’ll say that the salting adds the following characters: “rsl41gjkal.”

Now, if a hacker breaks into the website’s database, they’ll find your password saved as “xty3l6bqr8rsl41gjkal” and won’t have any way of knowing where your password ends and the random extra characters begin. Your password has been salted.

To make salting even more secure, however, it should be combined with hashing.

Combining salting and hashing for security

Salting and hashing work well in tandem. Even though hashes can’t be directly reversed, hackers can technically reverse engineer a hash and make relatively accurate guesses at what the original input was. With access to a website’s hashes and a little time, they might still be able to figure out a user’s plaintext password.

This type of situation is where password salting can be helpful. Salting a hashed password involves adding randomized numbers and letters to the plaintext password before it is hashed. Here is a representation of this process:

Hash (“xty3l6bqr8 + “rsl41gjkal”) = 4n3920q25699841r05h5hg8h9w33nvlhg39501

A stored hash should always be salted for maximum security. If a hacker steals some hashed passwords and reverse engineers them, they end up with a salted password, not the password itself. Of course, a hacker could still target an individual user with a brute force attack, but that’s unlikely to work if the user has created a complex password, like “xty3l6bqr8.”

Encryption vs. hashing vs. salting

Encryption, or cryptography, is another security measure that is sometimes confused with hashing and salting. Let’s take a moment to clarify how these three security measures differ.

Encryption is the process of scrambling a piece of data, like a password, into a mass of incomprehensible characters. However, if you have the encryption key (a numerical code generated by the encryption protocol used) you can decrypt the data, turning it back into plaintext. Password managers like NordPass use password encryption to safely store your credentials.

In contrast, hashing cannot be reversed — it is essentially a form of one-way encryption. Salting is different, again, because it doesn’t involve converting the original plaintext but simply complicates the text with additional characters.

It’s worth remembering that encryption vs. hashing isn’t the right way to think about it. These security measures are not mutually exclusive and should really be combined.

Securing your organization

Hashing and salting are essential security measures for password storage. Storing passwords in plaintext is incredibly risky because it means a data breach could potentially compromise all user accounts.

Data breaches are a constant threat for businesses and organizations of all sizes. Preventing hacks and data leaks is important, but if they occur, it is vital that any passwords stored within the breached organization are hashed and salted.

Of course, proactive steps should be taken so that hashes never fall into the wrong hands in the first place. That’s why many organizations now use VPN services, like NordVPN, to encrypt their online activity. With employees increasingly working from outside their offices, being able to protect each individual device on a company network has never been more important.

NordVPN can keep data safe while in transit, even if the user is connecting to unsecure Wi-Fi. The VPN service also comes with Threat Protection, a powerful suite of tools that lower the threat of malware infection. If a company protects customer passwords with salting and hashing and encrypts their own networks with services like NordVPN, their overall security will be far stronger.